[META] Cryptographic agility for Sigstore clients and services #16
Labels
enhancement
New feature or request
Comments
|
@sigstore/core-team FYI |
|
For completeness:
|
Precisely. Also, I think we should be able to easily reuse the Sigstore Trusted Root here to upgrade/deprecate/remove which algorithms are supported over time. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi everyone! I figure most people are aware of aspects of this work, but I'm filing a meta-issue as a permanent record with (hopefully) enough details to fill everything in 🙂
TL;DR: My colleagues and I (at @trailofbits) are currently working on a handful of different features/changes to the (Go) clients and services (i.e. Rekor & Fulcio) to enable cryptographic agility across an agreed-upon common suite of algorithms. The ultimate vision for this is enabling a post-quantum (PQ) posture for the Sigstore ecosystem. The current plan is to prove out our approach to agility with a non-PQ addition (namely Ed25519{,ph}), with the plan to add a PQ suite once we have suitable assigned numbers (IANA or otherwise).
Here's what we have currently planned, and are currently working on:
sigstore-goverification flowscosignsign/verify flowsThe above is listed in rough order of priority: our plan is to tackle shared components/APIs first (e.g.
sigstore/sigstore), followed by services, followed by Go clients. As always, we eagerly welcome any feedback or thoughts on this approach!cc for viz: @cmurphy @bobcallaway @codysoyland @haydentherapper @loosebazooka @steiza
The text was updated successfully, but these errors were encountered: